ISO 27001 Compliance

DocLD provides security features aligned with ISO 27001 Information Security Management System (ISMS) requirements. See also GDPR, HIPAA, and the Overview Security & Compliance section.

Overview

ISO 27001 is an international standard for information security management. DocLD’s security features help organizations meet these requirements through:

Security event logging - Comprehensive security event tracking
Incident management - Security incident detection and response
Access reviews - Periodic access control reviews
Security metrics - Aggregated security reporting

Security Events

Event Types

DocLD logs security-relevant events:

Event Type	Description
`auth_failure`	Failed authentication attempt
`auth_lockout`	Account locked due to failures
`access_denied`	Unauthorized access attempt
`api_key_created`	New API key created
`api_key_revoked`	API key revoked
`api_key_expired`	API key expired
`api_key_used`	API key used for authentication
`privileged_action`	Administrative action performed

Event Structure


{
  "id": "uuid",
  "event_type": "auth_failure",
  "actor_id": "user-uuid",
  "actor_type": "user",
  "resource_type": "session",
  "resource_id": null,
  "outcome": "failure",
  "ip_address": "192.168.1.1",
  "user_agent": "Mozilla/5.0...",
  "metadata": {
    "reason": "Invalid password",
    "attempts": 3
  },
  "created_at": "2024-01-15T10:00:00Z"
}

Viewing Events

Access security events:

Settings → Security → Events
API: GET /api/security/metrics

Incident Management

Incident Detection

DocLD automatically detects security incidents:

Incident Type	Trigger
`login_lockout`	Account locked after failures
`repeated_auth_failure`	Multiple auth failures
`access_denied_spike`	Unusual access denial rate
`api_key_abuse_suspected`	Abnormal API key usage

Incident Structure


{
  "id": "uuid",
  "detected_at": "2024-01-15T10:00:00Z",
  "type": "repeated_auth_failure",
  "severity": "medium",
  "summary": "User account experienced 5 failed login attempts",
  "status": "open",
  "metadata": {
    "user_id": "user-uuid",
    "ip_addresses": ["192.168.1.1", "192.168.1.2"],
    "attempt_count": 5
  }
}

Incident Severity

Severity	Description	Response Time
`critical`	Immediate threat	< 1 hour
`high`	Significant risk	< 4 hours
`medium`	Moderate risk	< 24 hours
`low`	Minor issue	< 1 week

Incident Status

Status	Description
`open`	Newly detected
`investigating`	Under investigation
`contained`	Threat contained
`resolved`	Root cause addressed
`closed`	Incident closed

Managing Incidents


# List incidents
curl -X GET "/api/security/incidents?status=open" \
  -H "Authorization: Bearer YOUR_API_KEY"
 
# Update incident status
curl -X PATCH "/api/security/incidents/{id}" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -d '{"status": "investigating"}'

Access Reviews

Purpose

Periodic access reviews ensure:

Users have appropriate access
Unused accounts are identified
API keys are still needed
Permissions are current

Access Review API


curl -X GET "/api/security/access-review?format=json" \
  -H "Authorization: Bearer YOUR_API_KEY"

Review Contents

The access review includes:

All API keys and their usage
Last access timestamps
Permission levels
Organization memberships

Review Format


{
  "api_keys": [
    {
      "id": "key-uuid",
      "name": "Production API",
      "created_at": "2024-01-01T00:00:00Z",
      "last_used_at": "2024-01-15T10:00:00Z",
      "total_requests": 5000,
      "is_active": true,
      "expires_at": null
    }
  ],
  "generated_at": "2024-01-15T12:00:00Z"
}

Security Metrics

Aggregated Metrics


curl -X GET "/api/security/metrics?from=2024-01-01&to=2024-01-31" \
  -H "Authorization: Bearer YOUR_API_KEY"

Response


{
  "period": {
    "from": "2024-01-01T00:00:00Z",
    "to": "2024-01-31T23:59:59Z"
  },
  "metrics": {
    "auth_failures": 25,
    "auth_lockouts": 2,
    "access_denied": 10,
    "api_keys_created": 5,
    "api_keys_revoked": 2,
    "privileged_actions": 15
  },
  "incidents": {
    "total": 3,
    "by_severity": {
      "critical": 0,
      "high": 1,
      "medium": 2,
      "low": 0
    },
    "by_status": {
      "open": 1,
      "resolved": 2
    }
  }
}

Control Mapping

A.9 Access Control

Control	Implementation
A.9.1 Business requirements	Role-based access
A.9.2 User access management	User provisioning API
A.9.3 User responsibilities	Password policies
A.9.4 System access control	API key authentication

A.12 Operations Security

Control	Implementation
A.12.4 Logging and monitoring	Security event logging
A.12.6 Technical vulnerability	Regular security updates

A.16 Incident Management

Control	Implementation
A.16.1 Management of incidents	Incident detection and response

A.18 Compliance

Control	Implementation
A.18.1 Compliance with legal requirements	GDPR, HIPAA support
A.18.2 Information security reviews	Access review API

Best Practices

Access Management

Principle of least privilege - Grant minimum necessary access
Regular reviews - Conduct quarterly access reviews
Prompt revocation - Remove access immediately when not needed
MFA enforcement - Enable multi-factor authentication

Monitoring

Review logs daily - Check security events
Set up alerts - Configure incident notifications
Track metrics - Monitor security trends
Document incidents - Keep incident records

Documentation

Maintain policies - Keep security policies current
Document procedures - Write incident response procedures
Track changes - Log configuration changes
Audit trail - Preserve audit logs

Technical Controls

DocLD implements:

Control	Method
Encryption at rest	AES-256
Encryption in transit	TLS 1.3
Authentication	API keys, sessions
Authorization	Role-based access
Audit logging	Comprehensive logs
Backup	Encrypted backups
Availability	Multi-region deployment